From 1ead0c2a3eb2791bfb60a2bfd9d8515df8d7b843 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:21:57 +0000 Subject: [PATCH 1/8] Run slash-command-dispatch only for PR comments to prevent failures --- .github/workflows/slash-command-dispatch.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/slash-command-dispatch.yml b/.github/workflows/slash-command-dispatch.yml index c3535999349..78415014e27 100644 --- a/.github/workflows/slash-command-dispatch.yml +++ b/.github/workflows/slash-command-dispatch.yml @@ -4,6 +4,8 @@ on: types: [created] jobs: slashCommandDispatch: + # This job only runs for pull request comments + if: ${{ github.event.issue.pull_request }} runs-on: ubuntu-latest permissions: # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR @@ -36,8 +38,8 @@ jobs: } - name: Dump the get-pr payload context env: - GETPR_OUTPUTS: ${{ toJson(steps.get-pr.outputs) }} - run: echo "$GETPR_OUTPUTS" + GET_PR_OUTPUTS: ${{ toJson(steps.get-pr.outputs) }} + run: echo "$GET_PR_OUTPUTS" - name: Slash Command Dispatch PR uses: peter-evans/slash-command-dispatch@v3 id: scd @@ -57,7 +59,7 @@ jobs: checkout-ref=${{ steps.get-pr.outputs.head_ref }} checkout-repository=${{ steps.get-pr.outputs.head_repo_full_name }} - name: Edit comment with error message - if: steps.scd.outputs.error-message + if: (success() || failure()) && steps.scd.outputs.error-message uses: peter-evans/create-or-update-comment@v3 with: comment-id: ${{ github.event.comment.id }} From 43f30c0b257a8d375888b07bb138b4feac36d1a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:25:43 -0400 Subject: [PATCH 2/8] Refine permissions for slash commands --- .github/workflows/build-command.yml | 17 ++++++++--------- .github/workflows/help-command.yml | 14 ++++++++------ .github/workflows/slash-command-dispatch.yml | 7 +++---- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-command.yml b/.github/workflows/build-command.yml index ce938d15097..4e4e4940336 100644 --- a/.github/workflows/build-command.yml +++ b/.github/workflows/build-command.yml @@ -26,14 +26,13 @@ on: required: false repository_dispatch: types: [build-command] +permissions: {} jobs: build-sh: runs-on: ubuntu-latest permissions: - # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR - # Remove the ones you do not need + # Give the default GITHUB_TOKEN write permission to commit and push and comment on PR contents: write - issues: write pull-requests: write steps: - name: Create URL to the run output @@ -42,12 +41,12 @@ jobs: - name: Create comment uses: peter-evans/create-or-update-comment@v3 with: - ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] +## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} - ## These are if we want to use repository_dispatch (default) +## These are if we want to use repository_dispatch (default) # repository: ${{ github.event.client_payload.github.payload.repository.full_name }} # comment-id: ${{ github.event.client_payload.github.payload.comment.id }} # issue-number: ${{ github.event.client_payload.github.payload.issue.number }} @@ -80,7 +79,7 @@ jobs: - name: Create comment starting build.sh uses: peter-evans/create-or-update-comment@v3 with: - ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] +## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} @@ -98,7 +97,7 @@ jobs: - name: Add reaction uses: peter-evans/create-or-update-comment@v3 with: - ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] +## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} @@ -108,7 +107,7 @@ jobs: if: steps.auto-commit-action.outputs.changes_detected == 'true' uses: peter-evans/create-or-update-comment@v3 with: - ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] +## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} @@ -119,7 +118,7 @@ jobs: if: steps.auto-commit-action.outputs.changes_detected == 'false' uses: peter-evans/create-or-update-comment@v3 with: - ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] +## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml index ea6e9f50411..983a5c97664 100644 --- a/.github/workflows/help-command.yml +++ b/.github/workflows/help-command.yml @@ -13,22 +13,24 @@ on: description: 'The comment-id of the slash command' required: true issue-number: - description: 'The issue number in which the slash command was made' - required: true + description: 'The issue number in which the slash command was made' + required: true actor: - description: 'The user who executed the slash command' - required: true + description: 'The user who executed the slash command' + required: true repository_dispatch: types: [help-command] +permissions: {} jobs: help: runs-on: ubuntu-latest - permissions: read-all + permissions: + pull-requests: write steps: - name: Update comment uses: peter-evans/create-or-update-comment@v3 with: - ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] +## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] # token: ${{ secrets.GITHUB_TOKEN }} ## These are if we want to use repository_dispatch (default) # repository: ${{ github.event.client_payload.github.payload.repository.full_name }} diff --git a/.github/workflows/slash-command-dispatch.yml b/.github/workflows/slash-command-dispatch.yml index 78415014e27..a7377ec4254 100644 --- a/.github/workflows/slash-command-dispatch.yml +++ b/.github/workflows/slash-command-dispatch.yml @@ -2,16 +2,14 @@ name: Slash Command Dispatch on: issue_comment: types: [created] +permissions: {} jobs: slashCommandDispatch: # This job only runs for pull request comments if: ${{ github.event.issue.pull_request }} runs-on: ubuntu-latest permissions: - # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR - # Remove the ones you do not need - contents: write - issues: write + actions: write # needed to launch a workflow_dispatch pull-requests: write steps: - name: Dump the event payload context @@ -50,6 +48,7 @@ jobs: build help issue-type: pull-request + permission: write # Collaborator permission required: (`none`, `read`, `triage`, `write`, `maintain`, `admin`), default: `write` dispatch-type: workflow static-args: | repository=${{ github.repository }} From d3b9c3d3486afd8f59e0b7ecc2305ca810f054b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:28:07 -0400 Subject: [PATCH 3/8] Clean unneeded action inputs --- .github/workflows/build-command.yml | 14 -------------- .github/workflows/help-command.yml | 5 ----- 2 files changed, 19 deletions(-) diff --git a/.github/workflows/build-command.yml b/.github/workflows/build-command.yml index 4e4e4940336..fa8a84ff177 100644 --- a/.github/workflows/build-command.yml +++ b/.github/workflows/build-command.yml @@ -41,15 +41,9 @@ jobs: - name: Create comment uses: peter-evans/create-or-update-comment@v3 with: -## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] - # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} -## These are if we want to use repository_dispatch (default) - # repository: ${{ github.event.client_payload.github.payload.repository.full_name }} - # comment-id: ${{ github.event.client_payload.github.payload.comment.id }} - # issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: | > [Command run output](${{ steps.vars.outputs.run-url }}) > Build command workflow started. @@ -79,8 +73,6 @@ jobs: - name: Create comment starting build.sh uses: peter-evans/create-or-update-comment@v3 with: -## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] - # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} @@ -97,8 +89,6 @@ jobs: - name: Add reaction uses: peter-evans/create-or-update-comment@v3 with: -## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] - # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} @@ -107,8 +97,6 @@ jobs: if: steps.auto-commit-action.outputs.changes_detected == 'true' uses: peter-evans/create-or-update-comment@v3 with: -## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] - # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} @@ -118,8 +106,6 @@ jobs: if: steps.auto-commit-action.outputs.changes_detected == 'false' uses: peter-evans/create-or-update-comment@v3 with: -## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] - # token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml index 983a5c97664..77afc6aa027 100644 --- a/.github/workflows/help-command.yml +++ b/.github/workflows/help-command.yml @@ -30,11 +30,6 @@ jobs: - name: Update comment uses: peter-evans/create-or-update-comment@v3 with: -## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot] - # token: ${{ secrets.GITHUB_TOKEN }} - ## These are if we want to use repository_dispatch (default) - # repository: ${{ github.event.client_payload.github.payload.repository.full_name }} - # comment-id: ${{ github.event.client_payload.github.payload.comment.id }} repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} From ca6b51fba65822b4d0a9dfc6f34f37a04efdf656 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:30:12 -0400 Subject: [PATCH 4/8] Fixed slash command's workflow_dispatch inputs --- .github/workflows/build-command.yml | 2 +- .github/workflows/help-command.yml | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-command.yml b/.github/workflows/build-command.yml index fa8a84ff177..1f5e065a9b2 100644 --- a/.github/workflows/build-command.yml +++ b/.github/workflows/build-command.yml @@ -22,7 +22,7 @@ on: description: "The reference to pass to 'ref' to checkout action" required: true checkout-repository: - description: "The repository to pass to 'repository' to tcheckout action" + description: "The repository to pass to 'repository' to checkout action" required: false repository_dispatch: types: [build-command] diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml index 77afc6aa027..22e1b78d681 100644 --- a/.github/workflows/help-command.yml +++ b/.github/workflows/help-command.yml @@ -17,7 +17,13 @@ on: required: true actor: description: 'The user who executed the slash command' - required: true + required: false + checkout-ref: + description: "The reference to pass to 'ref' to checkout action" + required: false + checkout-repository: + description: "The repository to pass to 'repository' to checkout action" + required: false repository_dispatch: types: [help-command] permissions: {} From 072857c88bee7926e533a91f06cf08870fca1ba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:31:41 -0400 Subject: [PATCH 5/8] Update reactons for peter-evans/create-or-update-comment@v3 --- .github/workflows/build-command.yml | 2 +- .github/workflows/help-command.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-command.yml b/.github/workflows/build-command.yml index 1f5e065a9b2..7f3457b4a75 100644 --- a/.github/workflows/build-command.yml +++ b/.github/workflows/build-command.yml @@ -92,7 +92,7 @@ jobs: repository: ${{ github.event.inputs.repository }} comment-id: ${{ github.event.inputs.comment-id }} issue-number: ${{ github.event.inputs.issue-number }} - reaction-type: hooray + reactions: hooray - name: Create final comment updated files if: steps.auto-commit-action.outputs.changes_detected == 'true' uses: peter-evans/create-or-update-comment@v3 diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml index 22e1b78d681..5b9ad2c3af1 100644 --- a/.github/workflows/help-command.yml +++ b/.github/workflows/help-command.yml @@ -45,4 +45,4 @@ jobs: > /build | Updates the Dockerfile, documentation, and other files from the yml descriptors > /build [ref=...]| Same as /build, but executes workflow in any branch using the ref named argument. The reference can be a branch, tag, or a commit SHA. This can be useful to test workflows in PR branches before merging. > /help | Returns this help message - reaction-type: hooray \ No newline at end of file + reactions: hooray From 6d440db58f37df8b7b614f369cfb6135b6a7a793 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:32:39 -0400 Subject: [PATCH 6/8] Add a failure reaction in slash-command-dispatch.yml --- .github/workflows/slash-command-dispatch.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slash-command-dispatch.yml b/.github/workflows/slash-command-dispatch.yml index a7377ec4254..cb1793dd2d6 100644 --- a/.github/workflows/slash-command-dispatch.yml +++ b/.github/workflows/slash-command-dispatch.yml @@ -63,4 +63,11 @@ jobs: with: comment-id: ${{ github.event.comment.id }} body: | - > ${{ steps.scd.outputs.error-message }} \ No newline at end of file + > ${{ steps.scd.outputs.error-message }} + reactions: confused + - name: Add failure reaction + if: failure() + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ github.event.comment.id }} + reactions: -1 From d5ab2b6626363e280a92915fd6146029f06b85ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:33:10 -0400 Subject: [PATCH 7/8] Upgrade actions/setup-python to 4.7.1 in build-command.yml --- .github/workflows/build-command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-command.yml b/.github/workflows/build-command.yml index 7f3457b4a75..9098337c53f 100644 --- a/.github/workflows/build-command.yml +++ b/.github/workflows/build-command.yml @@ -63,7 +63,7 @@ jobs: repository: ${{ github.event.inputs.checkout-repository }} ref: ${{ github.event.inputs.checkout-ref }} - name: Setup Python - uses: actions/setup-python@v4.5.0 + uses: actions/setup-python@v4.7.1 with: # Version range or exact version of Python or PyPy to use, using SemVer's version range syntax. Reads from .python-version if unset. python-version-file: '.python-version' # Read python version from a file .python-version From 0d20c03ce9d2352c5c1ca49c26adbaff905f1904 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Sat, 21 Oct 2023 16:45:35 -0400 Subject: [PATCH 8/8] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe6c3e3cabc..12c0a0df8ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Add the other maintainers globally to the CODEOWNERS file ([#3008](https://github.com/oxsecurity/megalinter/pull/3008)) - Free disk space earlier in the process to avoid failure during docker build - Set flavors-stats.json as a generated file in .gitattributes ([#3023](https://github.com/oxsecurity/megalinter/pull/3023)) + - Update and fix our ChatOps automations to only run on pull request comments, by @echoix in [#3034](https://github.com/oxsecurity/megalinter/pull/3034) - Linter versions upgrades - [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) from 0.80.2 to **0.80.3** on 2023-09-24